Analysis
-
max time kernel
79s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 03:55
Static task
static1
Behavioral task
behavioral1
Sample
bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe
Resource
win10v2004-20241007-en
General
-
Target
bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe
-
Size
512KB
-
MD5
9278bb6611427eda67fd4a8490594fb0
-
SHA1
03469989fef7f5dd503022b3c0683451d4bc69dd
-
SHA256
bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1
-
SHA512
39a4e0b8cdf7a36691f81001b9b55d75110300d6a2ecd24a2b6e66cbec0109969d542af11215350cc32afc3a98f0c4e0826d7c54bdbd94453b1e22d7183ef70a
-
SSDEEP
12288:dQ68e+FGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSg9:a68eKGyXsGG1ws5ipr
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaonfncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnpfnfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojmogak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibafhmph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmpedk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inopce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaonfncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgfdmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbeqalkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjnikpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjnkac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqnmbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hilghaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmfpnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dechlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkggel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odknmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hilghaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idlgohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdciej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jepnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lehfcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbaebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dechlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhklibbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebfpglkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqeqhlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacabgig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbcnloam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjnikpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lofono32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdippej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agikmeeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofkgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gabpco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflnlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Depgeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjmaebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onejljep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgienc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhkka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhmpmcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodhpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhjbjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iejpfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiafk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2172 Gdgoll32.exe 1144 Hghhngjb.exe 2776 Inopce32.exe 2900 Iglngj32.exe 2696 Jjocoedg.exe 2924 Jccjln32.exe 2120 Knkkngol.exe 1552 Lebcdd32.exe 1156 Lhclfphg.exe 2984 Mpgdaqmh.exe 2968 Nlcnaaog.exe 2096 Nnidchqp.exe 1680 Nchiao32.exe 584 Ofphdi32.exe 2400 Oiqaed32.exe 1684 Pkajgonp.exe 1068 Pphilb32.exe 1492 Aanonj32.exe 1104 Ajipmocp.exe 1756 Afamgpga.exe 2040 Adenqd32.exe 2492 Blelpeoa.exe 1364 Babdhlmh.exe 1236 Bepmokco.exe 2336 Coknmp32.exe 636 Cpogjh32.exe 2948 Cpadpg32.exe 2504 Cpcaeghc.exe 2876 Dcdjgbed.exe 2928 Dfecim32.exe 2836 Dheljhof.exe 2688 Dkfdlclg.exe 772 Emjnikpc.exe 2764 Echpaecj.exe 1496 Ekcdegqe.exe 2728 Faefim32.exe 2848 Fjnkac32.exe 1072 Fnnpma32.exe 968 Fdkheh32.exe 2552 Gpdfph32.exe 2192 Gljfeimi.exe 648 Gbdobc32.exe 1752 Ghagjj32.exe 1572 Hobfgcdb.exe 2000 Hilghaqq.exe 2508 Ianambhc.exe 1964 Iobbfggm.exe 3064 Ikibkhla.exe 1592 Ihmcelkk.exe 2760 Jnlhbb32.exe 2044 Jgdmkhnp.exe 2432 Jdhmel32.exe 2892 Jmcbio32.exe 2684 Jgiffg32.exe 1632 Jodkkj32.exe 1736 Jmhkdnfp.exe 1980 Kiolio32.exe 2996 Kiaiooja.exe 236 Kehidp32.exe 1300 Kbljmd32.exe 2548 Kemcookp.exe 2064 Lafpipoa.exe 1092 Liaenblm.exe 1772 Lehfcc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2376 bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe 2376 bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe 2172 Gdgoll32.exe 2172 Gdgoll32.exe 1144 Hghhngjb.exe 1144 Hghhngjb.exe 2776 Inopce32.exe 2776 Inopce32.exe 2900 Iglngj32.exe 2900 Iglngj32.exe 2696 Jjocoedg.exe 2696 Jjocoedg.exe 2924 Jccjln32.exe 2924 Jccjln32.exe 2120 Knkkngol.exe 2120 Knkkngol.exe 1552 Lebcdd32.exe 1552 Lebcdd32.exe 1156 Lhclfphg.exe 1156 Lhclfphg.exe 2984 Mpgdaqmh.exe 2984 Mpgdaqmh.exe 2968 Nlcnaaog.exe 2968 Nlcnaaog.exe 2096 Nnidchqp.exe 2096 Nnidchqp.exe 1680 Nchiao32.exe 1680 Nchiao32.exe 584 Ofphdi32.exe 584 Ofphdi32.exe 2400 Oiqaed32.exe 2400 Oiqaed32.exe 1684 Pkajgonp.exe 1684 Pkajgonp.exe 1068 Pphilb32.exe 1068 Pphilb32.exe 1492 Aanonj32.exe 1492 Aanonj32.exe 1104 Ajipmocp.exe 1104 Ajipmocp.exe 1756 Afamgpga.exe 1756 Afamgpga.exe 2040 Adenqd32.exe 2040 Adenqd32.exe 2492 Blelpeoa.exe 2492 Blelpeoa.exe 1364 Babdhlmh.exe 1364 Babdhlmh.exe 1236 Bepmokco.exe 1236 Bepmokco.exe 2336 Coknmp32.exe 2336 Coknmp32.exe 636 Cpogjh32.exe 636 Cpogjh32.exe 2948 Cpadpg32.exe 2948 Cpadpg32.exe 2504 Cpcaeghc.exe 2504 Cpcaeghc.exe 2876 Dcdjgbed.exe 2876 Dcdjgbed.exe 2928 Dfecim32.exe 2928 Dfecim32.exe 2836 Dheljhof.exe 2836 Dheljhof.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lfehpobj.exe Liaggk32.exe File created C:\Windows\SysWOW64\Jkhjin32.exe Jlcmhann.exe File created C:\Windows\SysWOW64\Pfjoeg32.dll Mdmdpd32.exe File opened for modification C:\Windows\SysWOW64\Dmpedk32.exe Dmnhok32.exe File created C:\Windows\SysWOW64\Fphqehda.exe Fgolmbnq.exe File created C:\Windows\SysWOW64\Dbmflkli.dll Gdciej32.exe File opened for modification C:\Windows\SysWOW64\Iilqnp32.exe Iaqljman.exe File created C:\Windows\SysWOW64\Fnnpma32.exe Fjnkac32.exe File created C:\Windows\SysWOW64\Heefcm32.dll Acdcdm32.exe File created C:\Windows\SysWOW64\Idjlbqmb.exe Impdeg32.exe File created C:\Windows\SysWOW64\Onfflllg.dll Bkapla32.exe File opened for modification C:\Windows\SysWOW64\Ehklpbam.exe Ecncjckf.exe File created C:\Windows\SysWOW64\Ajjdea32.dll Aaqnmbdd.exe File created C:\Windows\SysWOW64\Hacabgig.exe Hhklibbf.exe File created C:\Windows\SysWOW64\Nijohc32.dll Fqeagpop.exe File opened for modification C:\Windows\SysWOW64\Cgibpj32.exe Chdeonfa.exe File opened for modification C:\Windows\SysWOW64\Lgipmf32.exe Kdhgkk32.exe File created C:\Windows\SysWOW64\Eijpll32.dll Gkhenlcd.exe File created C:\Windows\SysWOW64\Bdiciboh.exe Ajcpgi32.exe File created C:\Windows\SysWOW64\Qfdpgd32.exe Qohkdkdn.exe File opened for modification C:\Windows\SysWOW64\Fdcahdib.exe Fkkmoo32.exe File created C:\Windows\SysWOW64\Gceghn32.exe Ggofcmih.exe File opened for modification C:\Windows\SysWOW64\Llkijb32.exe Lpdhea32.exe File created C:\Windows\SysWOW64\Albpef32.exe Aiagck32.exe File created C:\Windows\SysWOW64\Qhadob32.exe Ppdbepon.exe File created C:\Windows\SysWOW64\Eomoohoi.exe Ellfmm32.exe File created C:\Windows\SysWOW64\Oehcfq32.dll Dbihccpg.exe File created C:\Windows\SysWOW64\Ncnplogn.exe Nggpgn32.exe File created C:\Windows\SysWOW64\Fbhjbkfl.dll Omfadgqj.exe File created C:\Windows\SysWOW64\Afpnikda.exe Aoeflamd.exe File created C:\Windows\SysWOW64\Dbeqalkp.exe Dodhpa32.exe File opened for modification C:\Windows\SysWOW64\Jqeqhlii.exe Jchjqc32.exe File created C:\Windows\SysWOW64\Jknfon32.dll Nhjaok32.exe File opened for modification C:\Windows\SysWOW64\Chdeonfa.exe Cdflhppk.exe File created C:\Windows\SysWOW64\Ceioka32.exe Cmnjgo32.exe File created C:\Windows\SysWOW64\Kjfgfajf.dll Ggofcmih.exe File created C:\Windows\SysWOW64\Hmfjda32.exe Hblidd32.exe File created C:\Windows\SysWOW64\Pemedh32.exe Pbmlbmfg.exe File created C:\Windows\SysWOW64\Fkkmoo32.exe Fmfpnb32.exe File created C:\Windows\SysWOW64\Nlhaqbbc.dll Beibln32.exe File created C:\Windows\SysWOW64\Ggjmhn32.exe Goohckob.exe File opened for modification C:\Windows\SysWOW64\Fkfobbjo.exe Fopnma32.exe File opened for modification C:\Windows\SysWOW64\Mgkiaihl.exe Mleedphf.exe File created C:\Windows\SysWOW64\Pcgnfl32.exe Ommfibdg.exe File opened for modification C:\Windows\SysWOW64\Ppkahi32.exe Plnhbk32.exe File opened for modification C:\Windows\SysWOW64\Aclfigao.exe Anonqq32.exe File opened for modification C:\Windows\SysWOW64\Khgglp32.exe Kkcfbkfj.exe File created C:\Windows\SysWOW64\Cofjhc32.dll Kkcfbkfj.exe File opened for modification C:\Windows\SysWOW64\Fbjeao32.exe Fefdhj32.exe File created C:\Windows\SysWOW64\Kjbnlqld.exe Kceijg32.exe File created C:\Windows\SysWOW64\Ofbgbaio.exe Ohofimje.exe File opened for modification C:\Windows\SysWOW64\Jccjln32.exe Jjocoedg.exe File opened for modification C:\Windows\SysWOW64\Dilggefh.exe Cgkoejig.exe File created C:\Windows\SysWOW64\Hinolcbf.exe Hnhjok32.exe File created C:\Windows\SysWOW64\Ckcema32.dll Lmcfeh32.exe File opened for modification C:\Windows\SysWOW64\Mfpdim32.exe Mqckaf32.exe File created C:\Windows\SysWOW64\Ddjmaebi.exe Dmpedk32.exe File created C:\Windows\SysWOW64\Jfmede32.dll Namebk32.exe File created C:\Windows\SysWOW64\Gfgojdlf.dll Epkjoc32.exe File opened for modification C:\Windows\SysWOW64\Jmcbio32.exe Jdhmel32.exe File created C:\Windows\SysWOW64\Mochmm32.exe Mdmdpd32.exe File created C:\Windows\SysWOW64\Qdqpab32.dll Aoeflamd.exe File created C:\Windows\SysWOW64\Aohoja32.dll Fphqehda.exe File created C:\Windows\SysWOW64\Gjpama32.exe Gdciej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3648 2920 WerFault.exe 604 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghhngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljakkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglngj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpjfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiccbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmokomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giafmfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiagck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihdblpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcceqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobfgcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohkdkdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badlln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemnbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahbem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnomgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibafhmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinkkgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmaebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adenqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgpqjqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnecoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmnhok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeqhlii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjkdcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edljfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceijg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlcmhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdcecpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgiffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnlobhne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koacjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapcaocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bngicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deanooeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgeanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoeflamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipfhbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adokdbib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jccjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbnfcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgiad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohifch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnidchqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penlon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmlbmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmogcpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilghaqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkelhemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbekmpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjeao32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khojqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nopqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnchedie.dll" Jccjln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ianambhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekjjebed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khakhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjoeg32.dll" Mdmdpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afpnikda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhclfphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfegkk32.dll" Mdidhfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjimafji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liaggk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bojmogak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfdocio.dll" Gjpama32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omanfl32.dll" Hcolgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pphilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggefdf32.dll" Hnoane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofbnd32.dll" Liaggk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jinkkgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afpnikda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmkim32.dll" Qdeokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffnadi32.dll" Okecak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdanc32.dll" Ghqqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakaed32.dll" Inbobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdion32.dll" Pkajgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giafmfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdbbedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmkhobf.dll" Aklgabbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johmhhhj.dll" Gceghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mochmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aklgabbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fchigcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpbadcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebfpglkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jchjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odlpfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chibhf32.dll" Onejljep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdflhppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmfal32.dll" Blelpeoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpligk32.dll" Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aioapp32.dll" Fkfobbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejoagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlmb32.dll" Hjmjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Degage32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcnkemgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdmoj32.dll" Bcklmdqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emeejpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chiedc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlogojjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haldgbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kipfhbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obaqpg32.dll" Lnkjfcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijocej32.dll" Joomnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmfjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmpodedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liaenblm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2172 2376 bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe 29 PID 2376 wrote to memory of 2172 2376 bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe 29 PID 2376 wrote to memory of 2172 2376 bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe 29 PID 2376 wrote to memory of 2172 2376 bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe 29 PID 2172 wrote to memory of 1144 2172 Gdgoll32.exe 30 PID 2172 wrote to memory of 1144 2172 Gdgoll32.exe 30 PID 2172 wrote to memory of 1144 2172 Gdgoll32.exe 30 PID 2172 wrote to memory of 1144 2172 Gdgoll32.exe 30 PID 1144 wrote to memory of 2776 1144 Hghhngjb.exe 31 PID 1144 wrote to memory of 2776 1144 Hghhngjb.exe 31 PID 1144 wrote to memory of 2776 1144 Hghhngjb.exe 31 PID 1144 wrote to memory of 2776 1144 Hghhngjb.exe 31 PID 2776 wrote to memory of 2900 2776 Inopce32.exe 32 PID 2776 wrote to memory of 2900 2776 Inopce32.exe 32 PID 2776 wrote to memory of 2900 2776 Inopce32.exe 32 PID 2776 wrote to memory of 2900 2776 Inopce32.exe 32 PID 2900 wrote to memory of 2696 2900 Iglngj32.exe 33 PID 2900 wrote to memory of 2696 2900 Iglngj32.exe 33 PID 2900 wrote to memory of 2696 2900 Iglngj32.exe 33 PID 2900 wrote to memory of 2696 2900 Iglngj32.exe 33 PID 2696 wrote to memory of 2924 2696 Jjocoedg.exe 34 PID 2696 wrote to memory of 2924 2696 Jjocoedg.exe 34 PID 2696 wrote to memory of 2924 2696 Jjocoedg.exe 34 PID 2696 wrote to memory of 2924 2696 Jjocoedg.exe 34 PID 2924 wrote to memory of 2120 2924 Jccjln32.exe 35 PID 2924 wrote to memory of 2120 2924 Jccjln32.exe 35 PID 2924 wrote to memory of 2120 2924 Jccjln32.exe 35 PID 2924 wrote to memory of 2120 2924 Jccjln32.exe 35 PID 2120 wrote to memory of 1552 2120 Knkkngol.exe 36 PID 2120 wrote to memory of 1552 2120 Knkkngol.exe 36 PID 2120 wrote to memory of 1552 2120 Knkkngol.exe 36 PID 2120 wrote to memory of 1552 2120 Knkkngol.exe 36 PID 1552 wrote to memory of 1156 1552 Lebcdd32.exe 37 PID 1552 wrote to memory of 1156 1552 Lebcdd32.exe 37 PID 1552 wrote to memory of 1156 1552 Lebcdd32.exe 37 PID 1552 wrote to memory of 1156 1552 Lebcdd32.exe 37 PID 1156 wrote to memory of 2984 1156 Lhclfphg.exe 38 PID 1156 wrote to memory of 2984 1156 Lhclfphg.exe 38 PID 1156 wrote to memory of 2984 1156 Lhclfphg.exe 38 PID 1156 wrote to memory of 2984 1156 Lhclfphg.exe 38 PID 2984 wrote to memory of 2968 2984 Mpgdaqmh.exe 39 PID 2984 wrote to memory of 2968 2984 Mpgdaqmh.exe 39 PID 2984 wrote to memory of 2968 2984 Mpgdaqmh.exe 39 PID 2984 wrote to memory of 2968 2984 Mpgdaqmh.exe 39 PID 2968 wrote to memory of 2096 2968 Nlcnaaog.exe 40 PID 2968 wrote to memory of 2096 2968 Nlcnaaog.exe 40 PID 2968 wrote to memory of 2096 2968 Nlcnaaog.exe 40 PID 2968 wrote to memory of 2096 2968 Nlcnaaog.exe 40 PID 2096 wrote to memory of 1680 2096 Nnidchqp.exe 41 PID 2096 wrote to memory of 1680 2096 Nnidchqp.exe 41 PID 2096 wrote to memory of 1680 2096 Nnidchqp.exe 41 PID 2096 wrote to memory of 1680 2096 Nnidchqp.exe 41 PID 1680 wrote to memory of 584 1680 Nchiao32.exe 42 PID 1680 wrote to memory of 584 1680 Nchiao32.exe 42 PID 1680 wrote to memory of 584 1680 Nchiao32.exe 42 PID 1680 wrote to memory of 584 1680 Nchiao32.exe 42 PID 584 wrote to memory of 2400 584 Ofphdi32.exe 43 PID 584 wrote to memory of 2400 584 Ofphdi32.exe 43 PID 584 wrote to memory of 2400 584 Ofphdi32.exe 43 PID 584 wrote to memory of 2400 584 Ofphdi32.exe 43 PID 2400 wrote to memory of 1684 2400 Oiqaed32.exe 44 PID 2400 wrote to memory of 1684 2400 Oiqaed32.exe 44 PID 2400 wrote to memory of 1684 2400 Oiqaed32.exe 44 PID 2400 wrote to memory of 1684 2400 Oiqaed32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe"C:\Users\Admin\AppData\Local\Temp\bf8befcc829d2b95f6596d6ac7618d96e77c555e48d6dec0cc5574d727dee7f1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jjocoedg.exeC:\Windows\system32\Jjocoedg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Nchiao32.exeC:\Windows\system32\Nchiao32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Oiqaed32.exeC:\Windows\system32\Oiqaed32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Pkajgonp.exeC:\Windows\system32\Pkajgonp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Blelpeoa.exeC:\Windows\system32\Blelpeoa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Babdhlmh.exeC:\Windows\system32\Babdhlmh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Coknmp32.exeC:\Windows\system32\Coknmp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Dcdjgbed.exeC:\Windows\system32\Dcdjgbed.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe33⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe35⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe37⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe39⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe40⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe41⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Gljfeimi.exeC:\Windows\system32\Gljfeimi.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe43⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe48⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe49⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe51⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe52⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe54⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe57⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe58⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe59⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe60⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe61⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe62⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe63⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Lehfcc32.exeC:\Windows\system32\Lehfcc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe66⤵PID:616
-
C:\Windows\SysWOW64\Lppgfkpd.exeC:\Windows\system32\Lppgfkpd.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe68⤵PID:2060
-
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe69⤵PID:2164
-
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe70⤵PID:1260
-
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe71⤵PID:2188
-
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe72⤵PID:2704
-
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe74⤵PID:1884
-
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe75⤵PID:2992
-
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe76⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe77⤵PID:2756
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe78⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe79⤵PID:2844
-
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe80⤵
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe81⤵PID:2248
-
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe82⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe83⤵PID:2496
-
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe84⤵PID:2012
-
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe85⤵PID:1584
-
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe87⤵PID:2592
-
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe88⤵PID:1192
-
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe89⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe90⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe91⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe92⤵PID:1836
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe93⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe94⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe95⤵PID:1972
-
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe97⤵PID:2224
-
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe98⤵PID:1440
-
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe99⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Dgqokp32.exeC:\Windows\system32\Dgqokp32.exe102⤵PID:2288
-
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Dnmdmj32.exeC:\Windows\system32\Dnmdmj32.exe104⤵PID:2668
-
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe105⤵PID:308
-
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe106⤵PID:2128
-
C:\Windows\SysWOW64\Dcofqphi.exeC:\Windows\system32\Dcofqphi.exe107⤵PID:1776
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe108⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Eojpqpih.exeC:\Windows\system32\Eojpqpih.exe110⤵PID:792
-
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe111⤵PID:2448
-
C:\Windows\SysWOW64\Eqpfchka.exeC:\Windows\system32\Eqpfchka.exe112⤵PID:2428
-
C:\Windows\SysWOW64\Fqbbig32.exeC:\Windows\system32\Fqbbig32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Fmicnhob.exeC:\Windows\system32\Fmicnhob.exe114⤵PID:1212
-
C:\Windows\SysWOW64\Fjmdgmnl.exeC:\Windows\system32\Fjmdgmnl.exe115⤵PID:2772
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe116⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Fbjeao32.exeC:\Windows\system32\Fbjeao32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Gbmbgngb.exeC:\Windows\system32\Gbmbgngb.exe118⤵PID:2736
-
C:\Windows\SysWOW64\Gncblo32.exeC:\Windows\system32\Gncblo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Gnfoao32.exeC:\Windows\system32\Gnfoao32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Gjmpfp32.exeC:\Windows\system32\Gjmpfp32.exe121⤵PID:1412
-
C:\Windows\SysWOW64\Ghqqpd32.exeC:\Windows\system32\Ghqqpd32.exe122⤵
- Modifies registry class
PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-